ATS必须满足的条件

服务器支持 TLSv 1.2 协议
PFS(完全正向保密)ECDHE

服务器操作系统版本要求(支持TLS1.2)

WIN 2008 R2 IIS 7 以上版本
CentOS 6+  OpenSSL 1.0.1c+
Apache 2.4 +
Nginx 1.0.6+
JDK1.7 
tomcat7.0.56+

 

1 . TLS1.2 请根据上面版本要求升级.

2. ECDHE  apache 、nginx设置方法  (点此查看)

3. Linux操作系统 尽量使用较新版本

 

连接必须使用 AES-128 或者 AES-256 加密,并且支持PFS(完全正向保密)ECDHE , Apple 推荐以下加密套件:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Apache 设置方法(必须满足上面服务器版本要求):

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression off 
SSLSessionTickets Off

Nginx 设置方法(必须满足上面服务器版本要求):

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

Lighttpd设置方法(openssl 必须符合要求)

ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-compression = "disable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

Apple 官方文档

https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html